I have to say that there are not many details about nat64 case configuration in csdn, either copy it or move it~
Today I also did a small experiment with nat64. To be honest, this kind of demand problem is rarely encountered at ordinary times. Today I will analyze it in detail below.
The scene is very simple, the yellow area is the v6 internal network, and the blue area is the v4 external network, so that pc1 can access server 1 through nat64 technology
There are not many BBs, go to the configuration, and follow my order step by step
pc1 configuration
server configuration
switch configuration
sysname lsw1 //Create switch name
#
ipv6 // Enable v6 function
#
vlan batch 10 100 //Create business vlan10 and layer-3 interconnection vlan100
#
interface GigabitEthernet0/0/1 //Enter business interface
port link-type access //Configure the interface mode as acc
port default vlan 10 //The interface belongs to vlan10 and encapsulates the vlan10 label
#
interface GigabitEthernet0/0/24 //Enter the interconnection Layer 2 interface
port link-type access //Configure the interface mode as acc
port default vlan 100 //The interface belongs to vlan100 and encapsulates the vlan100 label
#
interface Vlanif10 //Enter the Layer 3 vlan10 gateway
ipv6 enable //Enable v6
ipv6 address 2001:ABCD:1234:11::254/64 //Configure v6 gateway
#
interface Vlanif100
ipv6 enable
ipv6 address 2001:ABCD:1234:100::254/96 //Configure the Layer 3 interconnection address
#
ipv6 route-static :: 0 2001:ABCD:1234:100::253 //Configure the v6 default route, because the pc will access a v6 address, which is the address for 64 conversion
router configuration
There is nothing to say about this, just configure the ip. If you don’t understand this, just close the current webpage and do something else
sysname R1
#
interface GigabitEthernet0/0/0
ip address 200.0.0.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 201.0.0.254 255.255.255.0
Focus - firewall configuration
sysname FW1 //Change the name
#
ipv6 // Enable v6 function
#
Enable the v6 function on the interface, configure ip, and enable the ping function
interface GigabitEthernet1/0/0
ipv6 enable
ipv6 address 2001:ABCD:1234:100::253/96
service-manage ping permit
nat64 enable //Start the 64 conversion function, this configuration can be configured first or last, it must be configured on the interface of the v6 network
#
interface GigabitEthernet1/0/1
ip address 200.0.0.1 255.255.255.0
service-manage ping permit
#
firewall interface division
firewall zone trust
add interface GigabitEthernet1/0/0 //v6 network is a trust zone
#
firewall zone untrust
add interface GigabitEthernet1/0/1 //v4 network is an untrusted area
#
Configure v4 network reachability
ip route-static 0.0.0.0 0.0.0.0 200.0.0.2 //Configure the default route to the server
#
Configure v6 network reachability
ipv6 route-static 2001:ABCD:1234:11::64 2001:ABCD:1234:100::254 //Configure the static v6 route to pc1
#
Configure the address pool after nat conversion, and you can also configure static one-to-one
nat address-group 1 0 //Create an address pool
mode pat
section 0 200.0.0.10 200.0.0.20 //The range of the address pool is the address segment of the outgoing interface in the firewall v4 network
#
It is equipped with the v6 mapping address for accessing v4. Only by pinging this segment can it be converted into v4. Others cannot.
nat64 prefix 3001:: 96
#
Configure Security Policy
security-policy
rule name nat64 //Create a policy name
source-zone trust //source zone - refers to v6
destination-zone untrust //destination zone - refers to v4
source-address 2001:ABCD:1234:11::64 //source address prefix
action permit //activation policy
#
Configure nat policy
nat-policy
rule name nat64
source-zone trust
destination-zone untrust
source-address 2001:ABCD:1234:11:: 64
nat-type nat64 //The type is nat64
action source-nat address-group 1 //Activate source nat address pool mode
test
The prefix is /96 The ipv4 address is exactly 32 bits The v6 address is 128 bits
Looking at the session table of the firewall v6, you can see the converted
Look at the session table of v4 after the conversion is successful, don’t read it wrong, friends
What else do you want to see? See you in the comment area